Exploit turns up heat for Firefox flaw

By Joris Evers, News.com
Posted on ZDNet News: Feb 8, 2006 7:23:00 PM

Computer code that could be used in cyberattacks on Firefox users has been released, increasing the urgency for people to upgrade to the latest version of the Web browser.

The two pieces of exploit code, posted online earlier this week, take advantage of a security vulnerability in Firefox that Mozilla patched in an update Thursday. In response to the exploit release, the browser maker on Tuesday upgraded the severity rating of the flaw from "moderate" to "critical," its most serious rating.

"This exploit was published after we released the 1.5.0.1 update," said Mike Schroepfer, vice president of engineering at Mozilla. "Most of our users had already been upgraded by the time this exploit was published."

The code could be used to commandeer computers running a vulnerable version of the open-source Web browser on Linux or Mac OS X systems. It has been published as part of the Metasploit Framework, a widely used hacking tool.

The specific flaw exists only in Firefox 1.5 and was fixed in Firefox 1.5.0.1. The problem could cause a memory corruption an outsider could use to run code on a vulnerable PC, according to a Mozilla advisory. The corruption would come from calling the "QueryInterface" method of the Location and Navigator objects in the browser.

Firefox users have already been urged to install the patched version of the browser. Security monitoring company Secunia last week rated the Firefox update "highly critical," and Mozilla has pushed out updates.

If for some reason users have not upgraded, they should definitely do so, Schroepfer said.

SponsoredWhite Papers, Webcasts, and Downloads

Talkback
Most Recent of 121 Talkback(s)

Thread View
Flat View

Never fails.....: ....that an article that doesn't even mention MS and some angry M$ with P*@*s envy blames it on them anyway. Boy MS surely can't win can they. Oh wait, they already have and continue to...30 plus year... (Read the rest); Posted by: proprietary Posted on: 03/03/06 You are currently: Logged In | Log out

Easy as pie. IT Scion | 02/08/06

no brainer to keep current BXLE | 02/08/06

With FF, you will not be required to take other updates to get security fix DonnieBoy | 02/08/06

If you don't like it... toadlife | 02/08/06

Well, yes...now that you mention it... techboy_z | 02/08/06

Break out a sticky note Still Lynn | 02/08/06

Talkbacks are where we argue about the merits of just about anything. DonnieBoy | 02/08/06

So Very True But even better IceTheNet@... | 02/08/06

One point to be sure Cayble | 02/08/06

Yo! Toadlet! Still Lynn | 02/08/06

So you admit Firefox update is easier Fred Fredrickson | 02/08/06

Hey DonnieBoy: This is what the "best and brightest" think of you... John Zern | 02/08/06

Well, that has little to do with Firefox security. DonnieBoy | 02/08/06

Well, the connection being John Zern | 02/08/06

Well, I will pay for my own bandwidth usage. If Google uses too much DonnieBoy | 02/08/06

Vanna! 2nd cluestick strike needed here! Still Lynn | 02/08/06

Vanna! I'd like to buy a clue! Still Lynn | 02/08/06

Touch� John Zern | 02/08/06

I agree... bill@... | 02/08/06

I agree too

petit@... | 02/08/06

Did I read that right? nomorems | 02/08/06

Never heard of Windoze. What is it? No_Ax_to_Grind | 02/08/06

Gee.. nomorems | 02/08/06

STFU??? No_Ax_to_Grind | 02/08/06

Watch how fast you get sued voska | 02/08/06

I must have missed something John Zern | 02/08/06

I must have missed something too mdsmedia | 02/08/06

Take LinSUX? No thanks. No_Ax_to_Grind | 02/08/06

Silly ABMers! NonZealot | 02/08/06

Message has been deleted. Jeff Spicoli | 02/08/06

Jeff.. How did you know.. widge_z | 02/08/06

Message has been deleted. Jeff Spicoli | 02/08/06

Never heard of Windoze? Still Lynn | 02/08/06

Come on! Everybody knows Windoze... John Zern | 02/09/06

If you already have 1.5.0.1 ... Still Lynn | 02/08/06

Whats the big deal I'm Ye, the MS SHILL . | 02/08/06

Whats? cdgoldin | 02/10/06

Mozilla developers downplaying threats again? toadlife | 02/08/06

That's a very good point Michael Kelly | 02/08/06

Microsoft's definition of "critical" jinko | 02/08/06

Patch Tuesday Yensi717 | 02/08/06

Lame Suicida| | 02/08/06

Patch Tuesday jinko | 02/09/06

Is Jinko's definition better? cdgoldin | 02/10/06

Because... todbran@... | 02/08/06

Is it really downplaying? Redsheep | 02/09/06

Has the warrant been issued yet? Anton Philidor | 02/08/06

Would you issue a warrant for the makers of Nessus? george_ou | 02/08/06

Most feeds Suicida| | 02/08/06

Exploit code is malware... Anton Philidor | 02/08/06

And how would you keep that a secret in auditing code? george_ou | 02/08/06

That's really nice! european | 02/09/06

What's your point? george_ou | 02/09/06

You're talking about security auditing code. Anton Philidor | 02/09/06

There is no difference george_ou | 02/09/06

YOU WAKE UP!!!! Cayble | 03/02/06

For what? It's not an exploit. Fred Fredrickson | 02/08/06

I believed ZDNet. Anton Philidor | 02/08/06

It's called a hook Fred Fredrickson | 02/08/06

Not just the headline, but a direct statement. Anton Philidor | 02/09/06

Couple of points ... Henaway | 02/08/06

Only Linux and Mac versions were released today george_ou | 02/08/06

Alternate time stream? Still Lynn | 02/08/06

Windows was earlier still llewysm | 02/09/06

The question was asked earlier. mdsmedia | 02/08/06

What code? Fred Fredrickson | 02/08/06

1.5.0.1 Kills Gmail attachments nlnnet | 02/08/06

not for me doh123 | 02/08/06

Submit a bug report Still Lynn | 02/08/06

What another inadequately tested patch from M$, oops make that Mozilla? cdgoldin | 02/10/06

Wow.... todbran@... | 02/08/06

Can't turn off ActiveX nag in IE. enduser_z | 02/08/06

Instead of turning it off Yensi717 | 02/08/06

Can't turn off ActiveX nag in IE. zeeper | 02/09/06

Try it, you will see what I mean. enduser_z | 02/09/06

Clueless griping. Use Maxthon. (Yes, really.) ZenWarrior | 02/09/06

Pointless Posturing. Get over yourself. (Yes, really.) enduser_z | 02/09/06

memory useage tmartin827@... | 02/08/06

What pages are you viewing? nomorems | 02/08/06

Huh? What memory leaks? (Again, Maxthon!) ZenWarrior | 02/09/06

Hey Todbran if two high school kids developed Fire Fox they're............ Can you hear me | 02/08/06

Faulty logic cdgoldin | 02/10/06

uses more memory how? doh123 | 02/08/06

Yes.. nomorems | 02/08/06

lack of credibility IceTheNet@... | 02/08/06

Lack of equity cdgoldin | 02/10/06

Load Times Pony99CA | 02/11/06

Loaded times cdgoldin | 02/13/06

Memory usage - this fix helped me gow1000 | 02/09/06

M$ is spreading FUD Linux Geek | 02/08/06

I was wondering Shelendrea | 02/08/06

Look who's talking about FUD! Still Lynn | 02/08/06

Payback is a *****, Luke. osreinstall | 02/08/06

So it' you... bargeemike | 02/09/06

Yes, I am your father. osreinstall | 02/09/06

No, that job is better left to the "Linux Geek" cdgoldin | 02/10/06

Never fails..... proprietary | 03/03/06

1.5.0.1 Check Updates does not see update. jimjutte | 02/08/06

1.5.0.1 is the latest version mdsmedia | 02/08/06

So... zkiwi | 02/08/06

No, people will continue to use software as usual Boot_Agnostic | 02/08/06

What about us who's still using 1.07 tana99 | 02/08/06

As above posts point out... bargeemike | 02/09/06

Mozilla are downplaying vulnerabilities again! smigol | 02/09/06

Trolls, X-ing! An_Axe_to_Grind | 02/09/06

Firefox updated itself before the flaw was even public! AWESOME!!!! xunil skcor | 02/09/06

Just like Microsoft has done many times! cdgoldin | 02/10/06

Redmond thinks it is... devlin_X | 02/16/06

Yes, But... EBathory | 02/09/06

Yes, but.... Think twice Redsheep | 02/09/06

Or even thrice cdgoldin | 02/10/06

I never had any problems with the update. KWierso | 02/10/06

C'mon Aunty Liz... bargeemike | 02/13/06

*cough* *cough* WMF?! duane.wills@... | 02/09/06

Is it a "coincidence" that when NEW severe flaws are michael_t | 02/09/06

problem upgrading Scott W | 02/10/06

sorry my mistake Scott W | 02/10/06

Firefox johnfarnham@... | 02/12/06

firefox may not update extensions janitorman | 02/13/06

better instructions are at: janitorman | 02/13/06

linux causing ms exploits - how on earth does this affect firefox? jesus_of_suburbia344 | 02/14/06

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SponsoredWhite Papers, Webcasts, and Downloads

BNET Industries
Check out BNET's newest resource for managers and executives. Need to do research on your competitors? Don't have time to read every trade pub? BNET Industries is the new source for daily news, insights, and research on 11 major industries and 9,000 public companies.
The technology industry from a different angle
See what's hot in the auto industry
Stay on top of the energy industry